An online
retailer in Poland has received a hefty fine under the General Data Protection
Regulation (GDPR) after failing to protect the data collected from 2.2 million
customers through the company’s nine websites.
The European Union last year passed the General Data Protection Regulation, a law that makes organizations more responsible in collecting and processing their customers’ personal data. While not enforcing a particular set of technological tools and processes, the GDPR imposes a minimum threshold that organizations must consider to ensure compliance. For Polish retailer Morele.net, this was sadly not the case.
Morele.net
reportedly became aware of a breach on its systems in November 2018, when
customers reported receiving SMS messages demanding additional payments to
complete an order. The SMS scam contained a link to a fake electronic payment
gateway controlled by the hackers.
While
Morele.net took steps to remedy the situation following the breach, Poland’s
Personal Data Protection Office (UODO) this week decided to fine the company PLN
2.8 million, or €645,000 for “insufficient organizational and technical
safeguards”.
The
President of UODO stated that Morele.net, “by not using sufficient technical
means of data protection, violated, among others specified in art. 5
paragraph 1 letter f GDPR, the principle of confidentiality.”
According to itgovernance.eu, for most of the affected customers, the leaked data included names, telephone numbers, email addresses and delivery addresses. Of the 2.2 million customers affected, 35,000 had additional information leaked, including their payment instalment information (including Personal ID number), education, source of income and net income, household maintenance costs and marital status, according to the report.
Starting
with mid-2019, data protection authorities across the EU have switched from an educative
stance to a more corrective attitude, dealing the first fines under the newly
adopted regulation. Among the highest-reported penalties this year are those
incurred by British Airways (205$ million euros), hotel chain Marriott (111
million euros) and Google (50 million euros).